From 2e130b43e68f1fcd3f758062a88a22acb1c8c748 Mon Sep 17 00:00:00 2001 From: "cid-workflow[bot]" <142626371+cid-workflow[bot]@users.noreply.github.com> Date: Wed, 22 May 2024 21:16:12 +0200 Subject: [PATCH] ci: update cid github actions workflow from 0.0.11 to 0.0.17 (#2) Co-authored-by: cid-workflow[bot] <142626371+cid-workflow[bot]@users.noreply.github.com> --- .github/workflows/cid-ossf.yml | 80 +++++++++++++++++++++++++++ .github/workflows/cid-pullrequest.yml | 48 +++++++++------- .github/workflows/cid.yml | 68 +++++++++++++---------- 3 files changed, 147 insertions(+), 49 deletions(-) create mode 100644 .github/workflows/cid-ossf.yml diff --git a/.github/workflows/cid-ossf.yml b/.github/workflows/cid-ossf.yml new file mode 100644 index 0000000..977a750 --- /dev/null +++ b/.github/workflows/cid-ossf.yml @@ -0,0 +1,80 @@ +# cid-workflow-version: 0.0.17 + +# This file is generated by the CID Workflow GitHub App. +# DO NOT EDIT! + +# name +name: CID - OSSF Scorecard +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '40 23 * * 5' + # Allow manual triggering of the workflow + workflow_dispatch: + +# Read Permissions. See +# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +# https://docs.github.com/en/rest/overview/permissions-required-for-github-apps +permissions: read-all + +# Cancel in progress jobs when a new run starts on the same ref +concurrency: + group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' + cancel-in-progress: true + +jobs: + analysis: + name: OSSF Scorecard Analysis + runs-on: ubuntu-latest + permissions: + id-token: write # needed to publish results + actions: read # required in private repos + contents: read # required in private repos + steps: + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + disable-telemetry: true + disable-sudo: true + egress-policy: block + allowed-endpoints: >- + api.github.com:443 + cdn01.quay.io:443 + cdn02.quay.io:443 + cdn03.quay.io:443 + codeload.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + quay.io:443 + raw.githubusercontent.com:443 + storage.googleapis.com:443 + sum.golang.org:443 + uploads.github.com:443 + api.osv.dev:443 + www.bestpractices.dev:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + fulcio.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + api.securityscorecards.dev:443 + - name: Checkout + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + persist-credentials: false + - name: OSSF Analysis + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + publish_results: true # publish results to OpenSSF REST API + - name: Upload Analysis Result + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 diff --git a/.github/workflows/cid-pullrequest.yml b/.github/workflows/cid-pullrequest.yml index 53eb3e0..0e17ad3 100644 --- a/.github/workflows/cid-pullrequest.yml +++ b/.github/workflows/cid-pullrequest.yml @@ -1,7 +1,10 @@ -# cid-workflow-version: 0.0.11 +# cid-workflow-version: 0.0.17 + +# This file is generated by the CID Workflow GitHub App. +# DO NOT EDIT! # name -name: cid-pullrequest +name: CID - PullRequest # triggers on: @@ -23,7 +26,6 @@ on: paths-ignore: - README.md - LICENSE - - .github/** - .gitignore - .editorconfig - renovate.json @@ -60,12 +62,14 @@ env: cdn01.quay.io:443 cdn02.quay.io:443 cdn03.quay.io:443 + codeload.github.com:443 github.com:443 objects.githubusercontent.com:443 proxy.golang.org:443 quay.io:443 raw.githubusercontent.com:443 storage.googleapis.com:443 + sum.golang.org:443 uploads.github.com:443 EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD: "" EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST: "" @@ -74,7 +78,7 @@ env: semgrep.dev:443 sonarcloud.io:443 EGRESS_POLICY_ALLOWED_ENDPOINTS_PACKAGE: "" - EGRESS_POLICY_ALLOWED_ENDPOINTS_PUBLISH: "" + EGRESS_POLICY_ALLOWED_ENDPOINTS_PUBLISH: >- # jobs jobs: @@ -86,17 +90,18 @@ jobs: if: ${{ github.event.inputs.loglevel == 'debug' }} steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: + disable-telemetry: true disable-sudo: true egress-policy: ${{ env.EGRESS_POLICY }} allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} - name: prepare environment - uses: cidverse/ghact-cid-setup@main + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - name: info @@ -118,17 +123,18 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: + disable-telemetry: true disable-sudo: true egress-policy: ${{ env.EGRESS_POLICY }} allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD }} - name: prepare environment - uses: cidverse/ghact-cid-setup@main + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - name: build @@ -138,7 +144,7 @@ jobs: run: | cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage build - name: upload artifacts - uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: build-${{ github.run_id }} path: .dist @@ -152,17 +158,18 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: + disable-telemetry: true disable-sudo: true egress-policy: ${{ env.EGRESS_POLICY }} allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST }} - name: prepare environment - uses: cidverse/ghact-cid-setup@main + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - name: test @@ -172,7 +179,7 @@ jobs: run: | cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage test - name: upload artifacts - uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: test-${{ github.run_id }} path: .dist @@ -188,27 +195,28 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: + disable-telemetry: true disable-sudo: true egress-policy: ${{ env.EGRESS_POLICY }} allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN }} - name: prepare environment - uses: cidverse/ghact-cid-setup@main + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - name: download artifacts > build - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: build-${{ github.run_id }} path: .dist continue-on-error: true - name: download artifacts > test - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: test-${{ github.run_id }} path: .dist diff --git a/.github/workflows/cid.yml b/.github/workflows/cid.yml index b56ca17..8d0192f 100644 --- a/.github/workflows/cid.yml +++ b/.github/workflows/cid.yml @@ -1,7 +1,10 @@ -# cid-workflow-version: 0.0.11 +# cid-workflow-version: 0.0.17 + +# This file is generated by the CID Workflow GitHub App. +# DO NOT EDIT! # name -name: cid-main +name: CID - DefaultBranch # triggers on: @@ -25,7 +28,6 @@ on: paths-ignore: - README.md - LICENSE - - .github/** - .gitignore - .editorconfig - renovate.json @@ -62,12 +64,14 @@ env: cdn01.quay.io:443 cdn02.quay.io:443 cdn03.quay.io:443 + codeload.github.com:443 github.com:443 objects.githubusercontent.com:443 proxy.golang.org:443 quay.io:443 raw.githubusercontent.com:443 storage.googleapis.com:443 + sum.golang.org:443 uploads.github.com:443 EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD: "" EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST: "" @@ -76,7 +80,7 @@ env: semgrep.dev:443 sonarcloud.io:443 EGRESS_POLICY_ALLOWED_ENDPOINTS_PACKAGE: "" - EGRESS_POLICY_ALLOWED_ENDPOINTS_PUBLISH: "" + EGRESS_POLICY_ALLOWED_ENDPOINTS_PUBLISH: >- # jobs jobs: @@ -88,17 +92,18 @@ jobs: if: ${{ github.event.inputs.loglevel == 'debug' }} steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: + disable-telemetry: true disable-sudo: true egress-policy: ${{ env.EGRESS_POLICY }} allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} - name: prepare environment - uses: cidverse/ghact-cid-setup@main + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - name: info @@ -120,17 +125,18 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: + disable-telemetry: true disable-sudo: true egress-policy: ${{ env.EGRESS_POLICY }} allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD }} - name: prepare environment - uses: cidverse/ghact-cid-setup@main + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - name: build @@ -140,7 +146,7 @@ jobs: run: | cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage build - name: upload artifacts - uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: build-${{ github.run_id }} path: .dist @@ -154,17 +160,18 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: + disable-telemetry: true disable-sudo: true egress-policy: ${{ env.EGRESS_POLICY }} allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST }} - name: prepare environment - uses: cidverse/ghact-cid-setup@main + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - name: test @@ -174,7 +181,7 @@ jobs: run: | cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage test - name: upload artifacts - uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: test-${{ github.run_id }} path: .dist @@ -190,27 +197,28 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: + disable-telemetry: true disable-sudo: true egress-policy: ${{ env.EGRESS_POLICY }} allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN }} - name: prepare environment - uses: cidverse/ghact-cid-setup@main + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - name: download artifacts > build - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: build-${{ github.run_id }} path: .dist continue-on-error: true - name: download artifacts > test - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: test-${{ github.run_id }} path: .dist @@ -236,21 +244,22 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: + disable-telemetry: true disable-sudo: true egress-policy: ${{ env.EGRESS_POLICY }} allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_PACKAGE }} - name: prepare environment - uses: cidverse/ghact-cid-setup@main + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - name: download artifacts > build - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: build-${{ github.run_id }} path: .dist @@ -262,7 +271,7 @@ jobs: run: | cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage package - name: upload artifacts - uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: package-${{ github.run_id }} path: .dist @@ -282,21 +291,22 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: + disable-telemetry: true disable-sudo: true egress-policy: ${{ env.EGRESS_POLICY }} allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_PUBLISH }} - name: prepare environment - uses: cidverse/ghact-cid-setup@main + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - name: download artifacts > package - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: package-${{ github.run_id }} path: .dist